Once he gained remote control, it has unlimited access to the infected machine and connected networks.” Victimology and a Pattern of Attacks
We know the attacker established full remote access to those victims, using the weaponized TeamViewer. The screenshots assisted him with filtering in and out victims, based on their identity and position. “The attacker succeeded in taking screenshots and fingerprinting the computers of these officials. “We have seen at least five different officials, each from different country, infected with it,” Lotem Finkelsteen, threat intelligence group manager at Check Point, told Threatpost. The custom build of TeamViewer isn’t that sophisticated, according to Check Point – however, it has been very successful. Once the malicious TeamViewer is up and running, the adversary sets about using its remote desktop functionality to gain access to the targeted system as if he or she were a legitimate user of the computer. These APIs hide the TeamViewer interface so that the user would not know it is running save TeamViewer session credentials to a text file and allow the transfer and remote execution of additional executable or DLL files. “The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more functionality to TeamViewer by hooking windows APIs called by the program,” Check Point researchers explained in a Monday posting. The third script also downloads a malicious version of TeamViewer. The scripts take screenshots of the victim’s PC and capture the victim’s username and computer information, sending that to the C2. Potential victims are prompted to enable macros, and once they do, a legitimate AutoHotkeyU32.exe program is launched, along with an AHK script, which fetches three additional AHK script URLs from the command-and-control (C2) server.
According to Check Point, which has been following the campaign, the document is “well-crafted,” with little to tip off the recipient that anything is awry other than the fact that the attachment name is in Cyrillic. “Military Financing Program.” The attacked Excel file is marked “Top Secret” and purports to be from the U.S. The attack starts with an email claiming to send the target information about a U.S. While the tactics and targets are APT-like, Check Point researchers suspect that the cyberattacker behind the effort is actually financially motivated. It weaponizes TeamViewer, the popular remote-access and desktop-sharing software, to gain full control of the infected computer. A targeted, email-borne attack against embassy officials and government finance authorities globally is making use of a malicious attachment disguised as a top-secret U.S.
0 kommentar(er)
